> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Generic SAML

<Note>
  This document covers step two of the [Single sign-on (SSO) setup](/docs/administration/single-sign-on) process, and shouldn't be completed independently.
</Note>

1. Log in to your identity provider.

2. Create a new application.

3. Set the following on the appropriate configuration page:

   * **Identifier or Audience:** `urn:auth0:matillion:[domain]-saml` replacing `[domain]` with your primary email domain, and converting any special characters to dashes. For instance `example.com` would become `urn:auth0:matillion:example-com-saml`.
   * **Reply URL** or **Assertion Consumer Service URL or Single sign-on URL:** `https://id.matillion.com/login/callback`.

   <Note>
     The **Relay State** will be provided by {maia} later, and will be added here before testing. No other configuration should be changed at that stage.
   </Note>

4. Ensure the attribute passed as the **sub**, such as the **Unique User Identifier** or **Username**, is unique and immutable to each user, such as employee ID, then click **Save**.

   <Note>
     The default value is often an email address and shouldn't be used. The value chosen here is used internally by the identity provider (as the NameID) to uniquely identify users. It's never visible in either system, and regardless of this setting, users will always sign in using their email address.

     Leaving the default value in place can cause issues if it changes in the future. In that case, {maia} would treat the user as a new account, resulting in the loss of the original user profile.

     Any value that is both unique to each user and guaranteed not to change can be used. Because each setup is different, Matillion cannot provide guidance on creating a unique attribute in your identity provider. However, the exact value being sent can be verified during the testing phase, before the configuration is activated and affects user logins.
   </Note>

5. Ensure that the following attributes or claims have been mapped as follows, and add any that are missing:
   * **name:** User's full display name.
   * **email:** User's email address.
   * **given\_name:** User's first name.
   * **family\_name:** User's last name.

6. Create a new attribute or claim named **email\_verified** and set it to return a static value of **true**. This ensures that users aren't prompted to verify their email address with {maia}.

7. Find and make a note of the following information from the application's settings:
   * **Login URL** or **Sign-in URL**.
   * The value set as the Identifier in step 3.

8. Download the certificate in Base64 format.

9. Continue the steps in [Single sign-on (SSO) setup](/docs/administration/single-sign-on).
